Great suggestions, Ed, thank you! And thanks so much for your close review!
Kathy
:
> Fantastic work Kathy! Surely we don’t want to introduce the ‘ICANN
> defense’ into the international legal vernacular (‘Sorry your honour,
> ICANN made me do it!’).
> Two minor suggestions:
> 1. The NCSG is much more than mere organizations; we’re also the home
> of individual noncommercial users within the GNSO. Perhaps we could
> reflect that in the introduction, such as:
> The Noncommercial Stakeholders Group represents noncommercial
> organizations /and individual noncommercial users /in their work in
> the policy and proceedings of ICANN and the GNSO.
> 2. As the third “triggering event” you have, in part, “Receipt of a
> written legal opinion from a nationally recognized law firm in the
> applicable jurisdiction”.
> Here in the United Kingdom some of the most prominent solicitors
> practicing in both the cyber and privacy realms are solo
> practitioners, often practicing in combination with a part time
> lecturing career. Think of, for example, Jeremy Phillips. I’d hate to
> give the big law firms any advantage over the equally qualified
> solicitor or barrister who does not belong to a firm. Consider,
> perhaps amending the statement, as such:
> Receipt of a written legal opinion from a nationally recognized law
> firm /or qualified legal practitioner/ in the applicable jurisdiction.
>
> Thanks for considering and thanks again, Kathy, for all of this. It’s
> really great work!
>
> -----Original Message-----
> From: Kathy Kleiman <[log in to unmask]>
> To: [log in to unmask]
> Date: Tue, 29 Jul 2014 13:44:44 -0400
> Subject: Draft Comments for Whois Proceeding
> To Rafik, NCSG Executive Committee and NCSG Membership,
> There is an important, but very quiet comment proceeding that has
> been taking place this summer. It is the /Review of the ICANN
> Procedure for Handling WHOIS Conflicts with Privacy Law///at
> /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en
> /
> Stephanie put out a call for comments, and not seeing any, I
> drafted these. It has been dismayeding ever since ICANN adopted
> its Consensus Procedure for Handling WHOIS Conflicts with Privacy
> law -- because it basically requires that Registrars and
> Registries have to be sued or receive an official notice of
> violation before they can ask ICANN for a waiver of the Whois
> requirements. That always seemed very unfair- that you have to be
> exposed to allegation of illegal activity in order to protect
> yourself or your Registrants under your national data protection
> and privacy laws.
> In the more recent Data Retention Specification, of the 2013 RAA,
> ICANN Staff and Lawyers saw this problem and corrected it -- now
> Registrars can be much more pro-active in showing ICANN that a
> certain clause in their contract (e.g., extended data retention)
> is a clear violation of their national law (e.g., more limited
> data retention).
> So to this important comment proceeding, I drafted these comments
> for us to submit. As Reply Comments (during the Reply Period), we
> are asked to respond to other commenters. That's easy as the
> European Commission and Registrar Blacknight submitted useful
> comments.
> Rafik, can we edit, finalize and submit by the deadline on Friday?
> Comments below and attached. If you have edits, in the interest of
> time, kindly suggest alternate language. Tx!!
> Best,
> Kathy
> --------------------------------------------------------------------------------------------------------
>
> DRAFT NCSG Response to the Questions of the
> /Review of the ICANN Procedure for Handling WHOIS Conflicts with
> Privacy Law/
> /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en
> /
> *Introduction*
> The Noncommercial Stakeholders Group represents noncommercial
> organizations in their work in the policy and proceedings of ICANN
> and the GNSO. We respectfully submit as an opening premise that
> every legal business has the right and obligation to operate
> within the bounds and limits of its national laws and regulations.
> No legal business establishes itself to violate the law; and to do
> so is an invitation to civil and criminal penalties. ICANN
> Registries and Registrars are no different – they want and need to
> abide by their laws.
> Thus, it is timely for ICANN to raise the questions of this
> proceeding, /Review of the ICANN Procedure for Handling WHOIS
> Conflicts with Privacy Law/(albeit at a busy time for the
> Community and at the height of summer; we expect to see more
> interest in this time towards the Fall). We submit these comments
> in response to the issues raises and the questions asked.
> *Background*
> The /ICANN Procedure for Handling Whois Conflicts with Privacy Law
> / was adopted in 2006 after years of debate on Whois issues. This
> Consensus Procedure was the first step of recognition that data
> protection laws and privacy law DO apply to the personal and
> sensitive data being collected by Registries and Registrars for
> the Whois database.
> But for those of us in the Noncommercial Users Constituency (now
> part of the Noncommercial Stakeholders Group/NCSG) who helped
> debate, draft and adopt this Consensus Procedure in the mid-2000s,
> we were always shocked that the ICANN Community did not do more.
> At the time, multiple Whois Task Forces were at work with multiple
> proposals which include important and pro-active suggestions to
> allow Registrars and Registries to come into compliance with their
> national data protection and privacy laws.
> At the time, we never expected this Consensus Procedure to be an
> end itself – but the first step of many steps. It was an “end” for
> too long, so we are glad the discussion is reopened and once again
> we seek to allow Registrars and Registries to be in full
> compliance with their national data protection and privacy laws –
> from the moment they enter into their contracts with ICANN.
> *II. Data Protection and Privacy Laws – A Quick Overview of the
> Principles that Protect the Personal and Sensitive Data of
> Individuals and Organizations/Small Businesses *
> **
> /*[Stephanie, Tamir or Others with Expertise in Canadian and
> European Data Protection Laws may choose to add something here]. */
> III/*. */Questions asked of the Community in this Proceeding
> The ICANN Review Paper raised a number of excellent questions. In
> keeping with the requirements of a Reply Period, these NCSG
> comments will address both our comments and those comments we
> particularly support in this proceeding.
>
> 1.
> 1.
> Is it impractical for ICANN to require that a contracted
> party already has litigation or a government proceeding
> initiated against it prior to being able to invoke the
> Whois Procedure?
>
> 1.1 Response: Yes, it is completely impractical (and ill-advised)
> to force a company to violate a national law as a condition of
> complying with that national law. Every lawyer advises businesses
> to comply with the laws and regulations of their field. To do
> otherwise is to face fines, penalties, loss of the business, even
> jail for officers and directors. Legal business strives to be
> law-abiding; no officer or director wants to go to jail for her
> company's violations. It is the essence of an attorney's advice to
> his/her clients to fully comply with the laws and operate clearly
> within the clear boundaries and limits of laws and regulations,
> both national, by province or state and local.
> In these Reply Comments, we support and encourage ICANN to adopt
> policies consistent with the initial comments submitted by the
> European Commission:
>
> *
> o
> that the Whois Procedure be changed from requiring
> specific prosecutorial action instead to allowing
> “demonstrating evidence of a potential conflict widely and
> e.g. accepting information on the legislation imposing
> requirements that the contractual requirements would
> breach as sufficient evidence.” (European Commission comments)
>
> We also agree with Blacknight:
>
> *
> o
> “It's completely illogical for ICANN to require that a
> contracting party already has litigation before they can
> use a process. We would have loved to use a procedure or
> process to get exemptions, but expecting us to already be
> litigating before we can do so is, for lack of a better
> word, nuts.” (Blacknight comments in this proceeding).
>
> 1.1a How can the triggering event be meaningfully defined?
> 1.1 a Response: This is an important question. Rephrased, we might
> ask together – what must a Registry or Registrar show ICANN in
> support of its claim that certain provisions involving Whois data
> violate provisions of national data protection and privacy laws?
> NCSG respectfully submits that there are at least four “triggering
> events” that ICANN should recognize:
>
> *
> o
> Evidence from a national Data Protection Commissioner or
> his/her office (or from a internationally recognized body
> of national Data Protection Commissioners in a certain
> region of the world, including the Article 29 Working
> Party that analyzes the national data protection and
> privacy laws) that ICANN's contractual obligations for
> Registry and/or Registrar contracts violate the data
> protection laws of their country or their group of countries;
> o
> Evidence of legal and/or jurisdictional conflict arising
> from analysis performed by ICANN's legal department or by
> national legal experts hired by ICANN to evaluate the
> Whois requirements of the ICANN contracts for compliance
> and conflicts with national data protection laws and
> cross-border transfer limits) (similar to the process we
> understand was undertaken for the data retention issue);
>
> *
> o
> Receipt of a written legal opinion from a nationally
> recognized law firm in the applicable jurisdiction that
> states that the collection, retention and/or transfer of
> certain Whois data elements as required by Registrar or
> Registry Agreements is “reasonably likely to violate the
> applicable law” of the Registry or Registrar (per the
> process allowed in RAA Data Retention Specification); or
>
> *
> o
> An official opinion of any other governmental body of
> competent jurisdiction providing that compliance with the
> data protection requirements of the Registry/Registrar
> contracts violates applicable national law (although such
> pro-active opinions may not be the practice of the Data
> Protection Commissioner's office).
>
> The above list draws from the comments of the European Commission,
> Data Retention Specification of the 2013 Registrar Accreditation
> Agreement, and sound compliance and business practices for the
> ICANN General Counsel's office.
> We further agree with Blacknight that the requirements for
> triggering any review and consideration by ICANN be: simple and
> straightforward, quick and easy to access.
> 1.3 Are there any components of the triggering event/notification
> portion of the RAA's Data Retention waiver process that should be
> considered as optional for incorporation into a modified Whois
> Procedure?
> 1.3 Response: Absolutely, the full list in 1.1a above, together
> with other constructive contributions in the Comments and Reply
> Comments of this proceeding, should be strongly considered for
> incorporation into a modified Whois Procedure, or simply written
> into the contracts of the Registries and Registrars contractual
> language, or a new Annex or Specification.
> We respectfully submit that the obligation of Registries and
> Registrars to comply with their national laws is not a matter of
> multistakeholder decision making, but a matter of law and
> compliance. In this case, we wholeheartedly embrace the concept of
> building a process together that will allow exceptions for data
> protection and privacy laws to be adopted quickly and easily.
> 1.4 Should parties be permitted to invoke the Whois Procedure
> before contracting with ICANN as a registrar or registry?
> 1.4 Response: Of course, Registries and Registrars should be
> allowed to invoke the Whois Procedure, or other appropriate
> annexes and specifications that may be added into Registry and
> Registrar contracts with ICANN. As discussed above, the right of a
> legal company to enter into a legal contracts is the most basic of
> expectations under law.
> 2.1 Are there other relevant parties who should be included in
> this step?
> 2.1 Response: We agree with the EC that ICANN should be working as
> closely with National Data Protection Authorities as they will
> allow. In light of the overflow of work into these national
> commissions, and the availability of national experts at law
> firms, ICANN should also turn to the advice of private experts,
> such as well-respected law firms who specialize in national data
> protection laws. The law firm's opinions on these matters would
> help to guide ICANN's knowledge and evaluation of this important
> issue.
> 3.1 How is an agreement reached and published?
> 3.1 Response. As discussed above, compliance with national law may
> not be the best matter for negotiation within a multistakeholder
> process. It really should not be a chose for others to make
> whether you comply with your national data protection and privacy
> laws. That said, the process of refining the Consensus Procedure,
> and adopting new policies and procedures, or simply putting new
> contract provisions, annexes or specifications into the Registry
> and Registrar contracts SHOULD be subject to community discussion,
> notification and review. But once the new process is adopted, we
> think the new changes, variations, modifications or exceptions of
> Individual Registries and Registrars need go through a public
> review and process. The results, however, Should be published for
> Community notification and review.
> We note that in conducting the discussion with the Community on
> the overall or general procedure, policy or contractual changes,
> ICANN should be assertive in its outreach to the Data Protection
> Commissioners. Individual and through their organizations, they
> have offered to help ICANN evaluate this issue numerous times. The
> Whois Review Team noted the inability of many external bodies to
> monitor ICANN regularly, but the need for outreach to them by
> ICANN staff nonetheless:
> *Recommendation 3: Outreach*
> *ICANN should ensure that WHOIS policy issues are accompanied by
> cross-community*
> *outreach, including outreach to the communities outside of ICANN
> with a specific*
> *interest in the issues, and an ongoing program for consumer
> awareness.*
> This is a critical policy item for such outreach and input.
> 3.2 If there is an agreed outcome among the relevant parties,
> should the Board be involved in this procedure?
> 3.2 Response: Clearly, the changing of the procedure, or the
> adoption of a new policy or new contractual language for
> Registries and Registrars, Board oversight and review should be
> involved. But once the new procedure, policy or contractual
> language is in place, then subsequent individual changes,
> variations, modifications or exceptions should be handled through
> the process and ICANN Staff – as the Data Retention Process is
> handled today.
> 4.1 Would it be fruitful to incorporate public comment in each of
> the resolution scenarios?
> 4.1 Response: We think this question means whether there should be
> public input on each and every exception? We respectfully submit
> that the answer is No. Once the new policy, procedure or
> contractual language is adopted, then the process should kick in
> and the Registrar/Registry should be allowed to apply for the
> waiver, modification or revision consistent with its data
> protection and privacy laws. Of course, once the waiver or
> modification is granted, the decision should be matter of public
> record so that other Registries and Registrars in the jurisdiction
> know and so that the ICANN Community as a whole can monitor this
> process' implementation and compliance.
> Step Five: Public notice
> 5.2 Is the exemption or modification termed to the length of the
> agreement? Or is it indefinite as long as the contracted party is
> located in the jurisdiction in question, or so long as the
> applicable law is in force.
> 5.2 Response: We agree with the European Commission in its
> response, “/By logic the exemption or modification shall be in
> place as long as the party is subject to the jurisdiction in
> conflict with ICANN rules. If the applicable law was to change, or
> the contacted party moved to a different jurisdiction, the
> conditions should be reviewed to assess if the exemption is still
> justified.” But provided it is the same parties, operating under
> the same laws, the modification or change should continue through
> the duration of the relationship between the Registry/Registrar
> and ICANN. /
> 5.3 Should an exemption or modification based on the same laws
> and facts then be granted to other affected contracted parties in
> the same jurisdiction without invoking the Whois Procedure
> 5.3 Response. The European Commission in its comments wrote, and
> we strongly agree: /“the same exception should apply to others in
> the same jurisdiction who can demonstrate that they are in the
> same situation.” /Further, Blacknight wrote and we support: /“if
> ANY registrar in Germany, for example, is granted a waiver based
> on German law, than ALL registrars based in Germany should receive
> the same treatment.” /Once a national data protection or privacy
> law is interpreted as requiring and exemption or modification, it
> should be available to all Registries/Registrars in that country.
> Further, we recommend that ICANN should be required to notify each
> gTLD Registry and Registrar in the same jurisdiction as that of
> the decision so they will have notice of the change.
> We thank ICANN staff for holding this comment period.
> Respectfully submitted,
> NCSG
> DRAFT
>
|